| import { describe, it, expect, beforeAll } from 'vitest'; |
| import { initDb } from '../../db/index.js'; |
| import { encrypt, decrypt, maskKey } from '../../lib/crypto.js'; |
|
|
| describe('Crypto', () => { |
| beforeAll(() => { |
| process.env.ENCRYPTION_KEY = '0'.repeat(64); |
| initDb(':memory:'); |
| }); |
|
|
| it('should encrypt and decrypt a key round-trip', () => { |
| const original = 'gsk_test1234567890abcdef'; |
| const { encrypted, iv, authTag } = encrypt(original); |
| const decrypted = decrypt(encrypted, iv, authTag); |
| expect(decrypted).toBe(original); |
| }); |
|
|
| it('should produce different ciphertext for same input (random IV)', () => { |
| const original = 'same-key'; |
| const a = encrypt(original); |
| const b = encrypt(original); |
| expect(a.encrypted).not.toBe(b.encrypted); |
| expect(a.iv).not.toBe(b.iv); |
| }); |
|
|
| it('should fail to decrypt with wrong auth tag', () => { |
| const { encrypted, iv } = encrypt('test-key'); |
| expect(() => decrypt(encrypted, iv, 'a'.repeat(32))).toThrow(); |
| }); |
|
|
| describe('maskKey', () => { |
| it('should mask long keys', () => { |
| expect(maskKey('gsk_test1234567890abcdef')).toBe('gsk_...cdef'); |
| }); |
|
|
| it('should mask short keys', () => { |
| expect(maskKey('abcd')).toBe('****abcd'); |
| }); |
| }); |
| }); |
|
|